Defending Against the Mirai Botnet

September 12, 2018 — by Ron Winward8


When attacks from the Mirai botnet hit the network in 2016, we all knew something was different. You could feel it. In a 31-day span, the internet suffered three record-breaking attacks; Brian Krebs’ at 620 Gbps, OVH at 1.2 Tbps, and the widespread outages caused by the attack on Dyn DNS. Also within that window, the source code for Mirai was released to the world.

Mirai no longer holds the record for the largest volumetric attack on the Internet. That honor goes to the Memcached reflection attacks on Github. In fact, once the code was released, the botnets went from a few botnets with several enslaved members, to several botnets with fewer members. More botnets were fighting to enslave a pool of devices.

[You might also like: The Dyn Attack – One Year Later]

Attackers Get Creative

Attackers, as they always do, got creative. By modifying the Mirai code, attackers could discover new devices by leveraging other known exploits. While many attackers were fighting for telnet access to IoT devices with traditional Mirai, new variants were developed to find additional methods of exploitation and infection. Examples include TR-064 exploits that were quickly added to the code (and used to infect the endpoints of service providers), a 0-day exploit on Huawei routers in several botnets, and the Reaper botnet, which includes 10 previously disclosed CVEs.

One thing that has remained the same, however, is the attack vectors that are included in the modern botnets. They’re largely all based on Mirai, and even if their infection methods differ, the attacks don’t change much.

For example, Masuta and DaddysMirai include the original Mirai vectors but removed the HTTP attack. Orion is an exact copy of the original Mirai attack table (and just like Mirai, has abandoned the PROXY attack). Owari added two new vectors, STD and XMAS.

Understanding IoT Attacks

My background in network engineering naturally made me curious about the impact of these attacks on the network. What do they look like in flight? How is each one different? Is one more of a threat than another? I have been studying the attack vectors since they were released in 2016, but with the observation that new variants largely included the same attacks (and some twists), it was clearly worth revisiting.

[You might also like: IoT Threats: Whose problem is it?]

Today we launch a new publication, IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants. This is a collection of research on the attack vectors themselves and what they look like on the wire. You will see that they’re not much different from each other, with the only truly interesting change being the introduction of a Christmas Tree attack in Owari. But that too had some interesting challenges. You’ll have to read the guide to find out why.

It’s important to understand the capabilities of Mirai and other IoT botnets so that your organization can truly comprehend the threat. Manually reacting to these attacks is not viable, especially in a prolonged campaign. In many cases, it is possible to block some of these attacks on infrastructure devices such as core routers or upstream transit links, but in many cases, it’s not.

Effectively fighting these attacks requires specialized solutions, including behavioral technologies that can identify the threats posed by Mirai and other IoT botnets. It also requires a true understanding of how to successfully mitigate the largest attacks ever seen. Hopefully, this handbook provides the guidance and insight needed for each vector if your organization ever needs to take emergency measures.

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Attack Types & VectorsSecurity

The Dyn Attack – One Year Later

October 19, 2017 — by Ron Winward4


One year ago, a threat actor launched a DDoS attack that disrupted service of some of the internet’s biggest names. The Mirai botnet had enslaved hundreds of thousands of IoT devices and was used to attack several entities, including the managed Domain Name System (DNS) provider Dyn.

The attack on Dyn was an event that many referred to as a wake-up call for internet security.

Except the industry, by and large, never really woke up.


Risk Management from the CISO Perspective

June 8, 2017 — by Ron Winward1


One of my favorite aspects of my role as a Security Evangelist for Radware is that I get the chance to really talk with business leaders about the challenges they face every day when protecting their business. I do a lot of listening, honestly, and I get the chance to learn a lot from these conversations.

Over the past few weeks, Risk and Risk Management have been common topics of discussion. They can be challenging because every business is different and we all face different risks or threats. Some of us have regulatory or compliance controls that we must operate within, which define how we handle certain risks. Others have customers who require that we maintain certain protocols and certifications as a method of protecting their data. Still, others have no programs in place at all.


IoT Threats: Whose problem is it?

March 16, 2017 — by Ron Winward0


If you think about it 2016 was a year that will forever change the way many people think about cyber security and some fundamental best practices. After the attacks on Dyn shook the internet in October, many organizations will forever deploy redundant DNS services or providers. Further, people now use 1 Tbps as their high watermark for DDoS protections and more organizations are adopting hybrid DDoS protections.


The Economics of Cyber Attacks

October 5, 2016 — by Ron Winward0


In the late 1800s, a gentleman named Charles Duryea had an idea. While attending the Ohio state fair in 1886, Duryea saw a 4HP, single-cylinder gasoline motor that he thought was sufficient to power a horseless carriage. As accomplished bicycle makers, Charles and his brother, Frank, went to work and in 1893 they tested their new invention, the first American-made automobile. By 1896, they had produced 13 automobiles and America’s first commercially-produced vehicle.

Chances are you’ve never heard of the Duryeas (or didn’t remember them). It’s common to hear that people think Henry Ford built the first vehicle, but in fact, he didn’t start building cars until 1901, and the Ford Motor Company wasn’t incorporated until 1903. Around the same time, there were over two hundred other automobile manufacturers operating in the US.

Attack Types & VectorsSecurity

Hybrid mitigation – Why it’s exactly what you need in complex attacks

August 31, 2016 — by Ron Winward0


Recently a company in the DDoS protection space published an article about how hybrid mitigation models are ineffective against large HTTP POST attacks. While we respect all of our industry colleagues and support their contributions to the space as a whole, I wanted to review the case study and offer a different perspective.

The hybrid mitigation model uses an appliance at the customer premise and cloud-based solutions for volumetric attacks that exceed the local internet capacity (or capacity of the local mitigation appliance).


CHI-NOG 2016 Recap

July 21, 2016 — by Ron Winward1


A few weeks ago I had the honor of presenting at the Chicago Network Operators Group (CHI-NOG) conference about the current DDoS Threat Landscape and some of the tools people are using to attack networks today. It was the sixth iteration of the event, which continues to grow in size and content, and the second time that I have been fortunate to present about DDoS. Radware was pleased to be a sponsor of the event this year.

Attack Types & VectorsDDoSSecurity

How to Prepare for a DDoS Attack

March 29, 2016 — by Ron Winward0


Our 2015-2016 Global Network & Application Security Report documented that 51% of businesses suffered a DDoS attack in 2015.  Further, 90% of businesses suffered some sort of cyber attack during that same period.  This is an astonishing number and as network operators, we need to be prepared.  DDoS attacks can be a debilitating event to your business, but they don’t have to be.  If you’re prepared, you can help control the outcome.

Attack Types & VectorsDDoSHacksSecurity

Cyber Security Predictions for 2016

January 14, 2016 — by Ron Winward1


It’s fun to predict what may happen over a year in security.  The industry moves so fast and while some things do stay the course, it only takes one small catalyst to spark a new direction that nobody could have predicted.

There are many predictions already for 2016.  Radware has our own, which will be released soon as part of our annual Global Application & Network Security Report.  In the meantime, I wanted to share some other predictions made by other industry colleagues that piqued my personal interest.

Attack Types & VectorsHacksSecurity

How Smoke Screen Cyber-Attacks Are Being Used in Data Breaches

December 9, 2015 — by Ron Winward2

2015 was a paramount year in data exfiltration. You may be familiar with many of the data breaches that were covered in the media this year, including the United States IRS, several major health care providers, Ashley Madison, and most recently, the personal data of children and parents from the vTech breach. Just last week, retailer Target agreed to settle with several banks for $39 million over their 2013 data breach.